Ransomware: Insurance Protects Your Company But Still Funds Evil

A Conversation Between Christopher Skroupa, Skytop Editor-in-Chief and Ira Winkler, CISSP, CISO for Skyline Technology Solutions and author of You Can Stop Stupid / November 9th, 2021 

Ira Winkler, CISSP is CISO for Skyline Technology Solutions and author of You Can Stop Stupid.  He is considered one of the world’s most influential security professionals and has been named a “Modern Day James Bond” by the media.  He did this by performing espionage simulations, where he physically and technically “broke into” some of the largest companies in the world and investigating crimes against them, and telling them how to cost effectively protect their information and computer infrastructure.  He continues to perform these espionage simulations, as well as assisting organizations in developing cost-effective security programs.  Ira also won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. CSO Magazine named Ira a CSO Compass Award winner as The Awareness Crusader. Most recently, Ira was named 2021 Top Cybersecurity Leader by Security Magazine. 

Christopher Skroupa:  The recent pipeline ransomware attack is a bellwether for what companies can expect.  That said, what can companies do to avoid or avert this cover story? 

Ira Winkler: The reality is that the Colonial Pipeline attack is just one among many. People forget Wannacry and other attacks that cost Maersk and economies billions of dollars and shut down hospitals for an extended period of time. The solutions really haven’t changed much. In my book, You Can Stop Stupid, I address a comprehensive approach in looking at actions that require user actions to initiate them, such as a user clicking on ranomware. Currently, organizations seem to address the problem by throwing tools at it. This is a tactical approach. For example, anti-malware can stop an attack. However, if the antimalware fails, you are in trouble. 

I advocate an end-to-end strategy that involves preventing ransomware from getting to the user, stopping the user from launching the ransomware, and then expecting ransomware to be activated and preventing the impact in all vectors. It might sound simple, but it requires a well thought out strategy to implement. It can be done, but people have the focus on tactics, like creating “the human firewall,” which is a myth. In the case of Colonial Pipeline, it appears that criminals didn’t send ransomware to users, but phished their credentials and logged in as the users. They then launched the ransomware themselves. Multi-factor authentication would have stopped these attacks supposedly. 

Christopher: It seems organized crime is a proxy for hostile nation states in ransomware attacks. Do you agree? If so, how does the government address corporate losses beyond cyber insurance? 

Ira: In some cases, organized crime or random criminal hackers do act on behalf of the government. For example, when Russia invaded Georgia a few years back, all of a sudden, Russian hackers “randomly” started attacking Georgia before the invasion.  

The reality is that this is not as common as the media makes it seem. China has a tiered system of hacking, which includes government units, academic units, and criminal resources. The units tasked with hacking companies vary depending upon what they want hacked. To a large extent, the government targets information of importance to the government. North Korean government hackers are essentially criminal hacking groups as not only do they perform intelligence collection, they steal money for the benefit of the government. Most governments do little to offset the losses. They are not just going to give money to companies who have lost money. 

Again, they basically are responsible for prosecuting crimes. The FBI getting a return of a significant portion of the Colonial Pipeline ransom was a drop in the bucket and will be rare. 

Christopher: If the funds are not recovered, meaning beyond insurance claim payments to reimburse for losses, what are they used for? 

Ira: If the question is, “What do criminals do with the money?” The short answer is, criminal stuff. They use the money as they see fit, which may include paying bribes to officials for not being prosecuted.  

Christopher: Do you see more partnership between large multinationals publicly traded companies and the government in finding and prosecuting cyber criminals? 

Ira: I unfortunately see the government doing things for show without making a substantial improvement in the problem. When there are highly notable organizations that have stolen a great deal of money and impacted many organizations, then there is an effort to disrupt the criminal’s infrastructure. Otherwise, unless it is a single notable crime against a high profile target, there is little that is done. 

Finding and prosecuting them is another level. Most of these criminals are either excellent at hiding their tracks or are in areas where they cannot be touched.